Python: Installing netmiko (paramiko) on Windows 10 PC for automation

In order to write a script and automate your infra devices via ssh/telnet, python uses paramiko. In Linux/MAC OS environment, it is easy to install or this module is already included as a package. For windows, the module installation process is more cumbersome. I have come a few articles on Google attempting to do this but the examples given were clear as mud. Here is a precise steps for the installation and also some troubleshooting URLs referenced for your convenience. 🙂

1. Install Python (

2. Install Anaconda. (

3. From the Anaconda Prompt (Shell), run “conda install paramiko”.

4. From the Anaconda Prompt (Shell), run “pip install scp”.

5. Install git for Windows. (

6. From Git Bash window. Clone netmiko with “git clone”

7.From Git Bash window. Unable to install Netmiko in windows after it cloned. define the path for python.

bchoi@AUD-4D1KYF2 MINGW32 /h/netmiko (develop)

$ export PATH=$PATH:/C/Users/bchoi/AppData/Local/Programs/Python/Python36-32

8. cd into the netmiko directory and run “python install”.

bchoi@AUD-4D1KYF2 MINGW32 /h/netmiko (develop)

$ python install

End result: You can now use parmiko on your windows PC!

paramiko OK

Tip1: To display Windows 10 Roaming folder

Unable to install Netmiko in windows after it cloned:



Putty Trick – 1. Save output to a file

To automatically save the output to a file while using Putty, you can change one setting of Putty to achieve this.
1. Start putty.exe.
2. Go to Session -> Logging.
3. Select “Printable output”
4. Choose the folder, where you want the file to be placed.
5. Append a file name like &H_&Y&M&D_&T.log to the path (host_YearMonthDay_time.log)
6. Save the profile as default settings.

CCNA Security 210-260 (Santos & Stuppi): Ch01 Questions

I have been away from study as well as blogging for sometime due to my on-going health issues. This year alone, I’ve had three operations and have been off the tangent on my study. Actually, two but the last one was a spin-off of the second. The first was in May, embarrassing to say this but the operation was for hemorrhoidectomy and colonoscopy, it brought me down for about 3 weeks. Then 3 weeks ago, I’ve had a Tonsillectomy, I was so glad that I was finally saying good bye to my beloved 40 year old tonsillitis. Post operation, I was almost over the hill, then on the 14th day, a scab came off the operated part and started bleeding crazy. Last Sunday, I went into Emergency and after almost bleeding to death for 8 hours, the ENT specicialist decided to operate on me again under full anesthetics. I was out for another week and looking forward to going back to work tomorrow. Sadly, I felt the pain up the bumb as well as in the mouth this year. Hopefully, I can keep my promise to completed the CCNA Security 210-260 before the year end. ;).

For anyone who is also struggling with their study, keep your forcus and keep going until you see the end of the tunnel. Yes, there are many tunnels to crosss in our industry, if you stop, you might get run over by the traffic behind you, so keep moving. 🙂

To help the exam prep and also make some go to points, I will simply refer the questions from the books. Yes, I did purchased a hard copy to study for this exam, the videos are also also available from (Santos & Stuppi videos). Older Barker version is available off torrent sites as form of cbtnugget videos. Love watching Keith Barker’s cbtnuggets, he is a true  legend!

1. Which security term refers to a person, property, or data of value to a company?
a. Risk
b. Asset
c. Threat prevention
d. Mitigation technique

2. Which asset characteristic refers to risk that results from a threat and lack of a countermeasure?
a. High availability
b. Liability
c. Threat prevention
d. Vulnerability

3. Which three items are the primary network security objectives for a company?
a. Revenue generation
b. Confidentiality
c. Integrity
d. Availability

4. Which data classification label is usually not found in a government organisation?
a. Unclassified
b. Classified but not important
c. Sensitive but unclassified
d. For official use only e. Secret
5. Which of the following represents a physical control?
a. Change control policy
b. Background checks
c. Electronic lock
d. Access lists

6. What is the primary motivation for most attacks against networks today?
a. Political
b. Financial
c. Theological
d. Curiosity

7. Which type of an attack involves lying about the source address of a frame or packet?
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack

8. Which two approaches to security provide the most secure results on day one?
a. Role based
b. Defense in depth
c. Authentication
d. Least privilege

9. Which of the following might you find in a network that is based on a defense-in-depth security implementation? (Choose all that apply.)
a. Firewall
b. IPS
c. Access lists
d. Current patches on servers

10. In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply.)
a. Ignore it
b. Transfer it
c. Mitigate it
d. Remove it

CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 4: Fundamentals of IP Security


Lesson 4: Fundamentals of IP Security
4.1 IPsec Concepts, Components, and Operations
4.2 IKE version 1 Fundamentals
4.3 IKE version 2 Fundamentals


4.1 IPsec Concepts, Components, and Operations

The Internet Key Exchange (IKE) Protocol
– IPsec uses IKE protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels.

– IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).

– In IKE Phase 1: IPsec peers negotiate and authenticate each other. In Phase 2, they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Two versions of IKEs.
IKE v1: Defined in RFC 2409
IKE v2: Defined in RFC 4306

IKE Protocol Details:
– IKE v2 enhances the function of performing dynamic key exchange and peer authentication.
– IKE v2 simplifies the key exchange flows and introduces measures to fix vulnerabilities present in IKEv1.
– Both IKEv1 and IKEv2 protocols operate in two phases.
– IKEv2 provides a simpler and more efficient exchange.


4.2 IKE version 1 Fundamentals

IKEv1: Who begins the negotiation?
– The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those policies to see whether any of its own policies match the ones it just received.
– If there is a matching policy, the recipient of the negotiations sends back information about which received policy matches, and they use that matching policy for the IKE Phase 1 tunnel.

IKEv1 Phase 1
A handy way to recall the five pieces involved in the negotiation of the IKE Phase 1 tunnel, you might want to remember that the two devices HAGLE over IKE Phase 1:

H: Hash
A: Authentication Method
G: DH group (a stretch, but it works)
L: Lifetime of the IKE Phase 1 tunnel
E: Encryption algorithm to use for the IKE Phase 1 tunnel
The DH (Diffie-Hellman) Exchange
– Now having agreed to the IKEv1 Phase 1 policy of the peer, the two devices run the DH key exchange.
– They use the DH group (DH key size for the exchange) they agreed to during the negotiations, and at the end of this key exchange they both have symmetrical keying material (which is a fancy way of saying they both have the same secret keys that they can use with symmetrical algorithms).
– DH allows two devices that do not yet have a secure connection to establish shared secret keying material (keys that can be used with symmetrical algorithms, such as AES).
Authenticating the peer (last step in IKEv1 phase 1)
– The last step of IKE Phase 1 is to validate or authenticate the peer on the other side.
– For Authentication, they use whatever they agreed to in the initial proposal/policy, and if they successfully authenticate with each other, we now have an IKE Phase 1 tunnel in place between the two VPN gateways.
– The authentication could be done either using a PSK or using RSA digital signatures.


Phase 1:
– The next step is to complete the IKEv1 Phase 2 negotiation.
– The entire conversation and negotiation of the IKEv1 Phase 2 tunnel are completely done in private because of the IKEv1 Phase 1 tunnel protection the negotiated traffic.
– The IKE Phase 2 tunnel includes the hashing and encryption algorithms.
– The name of the mode for building the IKE Phase 2 tunnel is called “Quick Mode“.
4.3 IKE version 2 Fundamentals

What’s different in IKEv2?

* IKEv2 does not consume as much bandwidth as IKEv1.
* IKEv2 supports EAP authentication while IKEv1 doesn’t.
* IKEv2 supports the Mobility and Multi-homing (MOBIKE) protocol while IKEv1 doesn’t.
* IKEv2 has built-in NAT traversal while IKEv1 doesn’t.

** UDP port 4500 is used.
*** Protocol 50 (ESP) or 51 (AH)
*** NAT Transversal need to be used on UDP port 4500

IKEv2 Phase 2
* Phase 2 in IKEv2 is CHILD_SA (Child Security Association)
* The first CHILD_SA is the IKE_AUTH message pair.
* This phase is comparable to IKEv1 Phase 2.
* Additional CHILD_SA message pairs can be sent for rekey and informational messages.
* The CHILD_SA attributes are defined in the Data Policy.